b'Office of Inspector General\n\nReport of Audit\n\n\n\n\n    SECURITY OF REGION IV\n LOCAL AREA NETWORKS (LANs)\n\n            SEPTEMBER 29, 1997\n\n     Audit Report E1NMF7-15-0001-7100308\n\x0cInspector General Division\n Conducting the Audit:       ADP Audits and\n                              Assistance Staff\n\nRegion Covered:              Region IV\n\nProgram Offices Involved:    Information Management Branch\n\x0c                                   EXECUTIVE SUMMARY\n\nPURPOSE\n\nThe objectives of this audit were to: 1) test the physical, security, and detective controls over the\nRegion IV Local Area Networks (LANs)1, especially those controls involving physical and logical\naccess; 2) verify the adequacy of controls relative to the backup and recovery of the regional file\nservers; and 3) verify that adequate policy, procedures and administrative controls exist relative to\nregional LAN management.\n\n\nBACKGROUND\n\nThe majority of EPA\xe2\x80\x99s employees are connected to local and Agency applications and data through\nLANs and the VABS. The Enterprise Technical Services Division\xe2\x80\x99s (ETSD) LANSYS group is\nresponsible for maintenance of the backbone servers, the backbone software, and the backbone\nwiring throughout EPA. However, each individual LAN is managed locally by the program\noffice(s) it serves. The Information Management Branch (IMB) controls all of Region IV\'s LAN\nadministration.\n\nETSD requires adherence to EPA\xe2\x80\x99s security standards in order for a LAN to be connected to an\nAgency facility backbone and to obtain ETSD support. However, these are minimum security\nstandards and it is ultimately left up to local management and LAN System Administrators (SAs)\nto design and implement security for their LAN. The degree of security needed at a LAN site will\nvary with the type of data processed and the physical security afforded by the facility. Each LAN\nmust comply with the security standards listed in Section 6 of NDPD Operational Directive No.\n310.09. These standards state the minimum levels of security which must be implemented and\nmaintained. Compliance with these security policies is a prerequisite for connection to the Agency\nbackbone and for support by ETSD. Failure to comply with these policies will result in\ndisconnection of a LAN from the Agency internetwork and removal of ETSD support.\n\nAs the number of new LAN installations increases, so does the number of programs and quantity of\ndata stored on these LANs. The task of securing resources is even more difficult when work group\nPCs are connected to form LANs, in order to share resources. Any one work group LAN may be\nadequately self-contained and have a LAN System Administrator. Once these separate LANs are\nconnected via a facility-wide backbone, physical access among work groups is granted. Therefore,\nwith the increased number of access points, security becomes a larger issue for all users and LAN\nSystem Administrators.\n\n\n\n       1\n               A data communication network operating over a limited geographical area,\ntypically within a building or group of buildings.\n\n\n                                                  i\n\x0cAUDIT RESULTS IN BRIEF\n\nOur audit of IMB LAN security determined that termination procedures to the LANs are not\nformalized. We also determined that IMB did not have a security plan or backup/disaster recovery\nplan. In addition, we determined that there were no formal policies covering LAN maintenance\nprocedures. Management was unaware of the Federal requirements concerning plans and\nprocedures, prior to the recent receipt of Agency-issued guidance. Lack of plans and procedures\ncould lead to unauthorized disclosure or manipulation of sensitive Agency data. We also noted that\nthere were a number of Novell server settings and configuration irregularities which need to be\ncorrected. Region IV recognized the importance of the security deficiencies outlined in our findings,\nand their response to the draft report recommendations demonstrates their willingness to enhance\nregional security controls.\n\n\nPRINCIPAL FINDINGS\n\nRegion IV Needs A Disaster Recovery Plan\n\nIMB has not developed a disaster recovery plan for the Region IV LANs. These LANs contain\nsensitive agency information dealing with a variety of program office data. In the event of a disaster,\ncritical information would be lost and IMB would have a difficult time restoring the LANs to pre-\ndisaster condition. A disaster scenario is any likely event that has a chance of occurring and if it\noccurs has the potential for significantly interrupting normal business processing. These events\ninclude fires, severe thunderstorms, tornados, hurricanes and floods. IMB management was unaware\nof Agency requirements for a formal disaster recovery plan.\n\nFormal LAN Access Termination Control Procedures Are Needed\n\nIMB does not have a structured, consistent process for rescinding access to Region IV LANs. There\nare no formal procedures to be followed in the event that an employee is terminated or transferred.\nCurrently, the LAN administrator is not directly notified when an employee is terminated or\ntransferred. Since the LAN group moved to a new building in August of 1996, management had not\nmade developing formal termination and transfer policy and procedures a high priority.\nUnauthorized access could lead to the manipulation and destruction of data.\n\nRegion IV Needs A LAN Security Plan\n\nRegion IV does not have a LAN security plan as required by OMB Circular A-130. In addition, IMB\ndid not identify the lack of a LAN security plan as a \xe2\x80\x9cmaterial weakness\xe2\x80\x9d in their fiscal 1996 Federal\nManager\xe2\x80\x99s Financial Integrity Act (FMFIA) Assurance Letter. IMB was unaware of the OMB\nCircular A-130 requirement. OMB Circular A-130 requires that management approve security plans\nat least every three years through the OMB Circular A-123 process. In addition, it specifies that\n\n\n\n                                                  ii\n\x0csecurity control weaknesses be reported as part of the Agency\xe2\x80\x99s OMB Circular A-123 annual review\nprocess. Without an adequate LAN security plan employees would be unable to provide adequate\nprotection against violators.\n\nFormalize LAN Policy And Maintenance Procedures\n\nRegion IV lacks policies and procedures for overall LAN maintenance as well as standard operating\nprocedures for daily routines, such as granting and terminating access, making backup tapes, etc.\nIMB attributed the non-existence of policies and procedures to conflicting priorities and scarce\nresources. Currently, IMB has only two LAN Administrators to manage 28 servers. However, a lack\nof policies and procedures could lead to inconsistent application of settings and loss of\naccountability.\n\nLAN Settings Are Not In Accordance With Agency Standards And\nIndustry Guidance\n\nSome of Region IV\xe2\x80\x99s LAN account settings are not in compliance with the Agency\xe2\x80\x99s LAN\nOperational Procedures and Standards (LOPS) manual and industry standards. We determined,\nthrough the use of Axent Technologies\xe2\x80\x99 OmniGuard/Enterprise Security Manager (ESM) software\nand discussions with responsible program officials, that IMB does not follow all of the guidelines\nset forth in the Agency\xe2\x80\x99s LOPS. Non-compliance with standard security requirements could leave\nthe LAN vulnerable to hacker attacks from within and outside the Agency. Discussions with IMB\nmanagement determined that they were unaware of required Agency LAN settings.\n\n\nRECOMMENDATIONS\n\nWe recommend that the Chief for Region IV\xe2\x80\x99s Information Management Branch develop a security\nplan and a disaster recovery plan. In addition, we recommend that IMB develop formal policies\ncovering overall LAN maintenance as well as routine operating procedures for LAN administrators.\nWe also recommend that IMB formalize LAN termination procedures. Finally we recommend that\nIMB bring Novell server settings in accordance with Agency and industry guidance.\n\n\nAGENCY COMMENTS AND OIG EVALUATION\n\nIn a memorandum dated September 10, 1997, Region IV\'s Chief for Information Management\nresponded to our draft report (See Appendix I). In summary, Agency officials agreed with all of our\nrecommendations. Region IV agreed to develop both disaster recovery and security plans, establish\nformal LAN policy, maintenance and termination procedures, and to use ESM to bring regional LAN\nsettings in accordance with Agency guidelines.\n\n\n\n\n                                                iii\n\x0c                                TABLE OF CONTENTS\n\n                                                                                          Page\n\nEXECUTIVE SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .              i\n\nCHAPTERS\n\n1     INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .           1\n\n             PURPOSE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .     1\n\n             BACKGROUND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1\n\n             SCOPE AND METHODOLOGY . . . . . . . . . . . . . . . . . . . . . . . . . 3\n\n             CRITERIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .    3\n\n2     REGION IV NEEDS A LAN DISASTER RECOVERY PLAN . . . . . . . . . . 5\n\n3     FORMAL LAN ACCESS TERMINATION CONTROL\n       PROCEDURES ARE NEEDED . . . . . . . . . . . . . . . . . . . . . . . . . . .            7\n\n4     REGION IV NEEDS A LAN SECURITY PLAN . . . . . . . . . . . . . . . . . . 9\n\n5     FORMALIZE LAN POLICY AND\n       MAINTENANCE PROCEDURES . . . . . . . . . . . . . . . . . . . . . . . . . 11\n\n6     LAN SETTINGS ARE NOT IN ACCORDANCE WITH\n       AGENCY STANDARDS AND INDUSTRY GUIDANCE . . . . . . . . . . . 13\n\nAPPENDICES\n\nI     AGENCY RESPONSE TO DRAFT REPORT . . . . . . . . . . . . . . . . . .                     25\n\nII    ENTERPRISE SECURITY MANAGER (ESM)                   . . . . . . . . . . . . . . . . .   27\n\nIII   GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .      29\n\nIV    REPORT DISTRIBUTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . .           31\n\x0cTHIS PAGE INTENTIONALLY LEFT BLANK\n\x0c                                          CHAPTER 1\n\n                                       INTRODUCTION\n\nPURPOSE\n\nThe objectives of this audit were to: 1) test the physical, security, and detective controls over the\nRegion IV Local Area Networks (LANs), especially those controls involving physical and logical\naccess; 2) verify the adequacy of controls relative to the backup and recovery of the regional file\nservers; and 3) verify that adequate policy, procedures and administrative controls exist relative to\nregional LAN management.\n\n\nBACKGROUND\n\nRegion IV LANs\n\nThe Information Management Branch (IMB) controls all of Region IV\'s LAN administration.\nRegion IV has occupied the newly constructed Atlanta Federal Center (AFC) since August 1996. The\nEPA Region IV LAN consists of 33 file servers operating on eight floors of the AFC in Atlanta,\nGeorgia and at the Regional laboratory in Athens, Georgia. These file servers comprise the\nbackbone for the 10 local area networks serving the following Divisions and Offices: Environmental\nAccountability Division, Waste Management Division, Water Management Division, Science &\nEcosystem Support Division, Air Pesticides, Toxics Management Division, and the Offices of Policy\n& Management, Congressional Affairs, and Public Affairs.\n\nEach server can provide some or all of the following applications within the Region:\n\no      Communication services - e.g.,electronic mail, Internet access, EPA Mainframe access,\n       remote access to employees working outside the office, dial up access to remote computers;\n\no      Agency Standard Software - e.g., WordPerfect word processor, Lotus Spreadsheets, dBASE\n       III & IV database applications, Windows 3.1, Freelance and Harvard Graphics;\n\no      Electronic Forms - e.g., time sheets, supplies ordering, travel authorization and laptop\n       checkout;\n\no      Miscellaneous Applications- e.g., Oracle Database, Superfund document management and\n       Lotus Notes;\n\no      Information Resources - CDROM Services.\n\n\n\n\n                                                 1\n\x0cIMB purchased state-of-the-art equipment for the Region\xe2\x80\x99s move to the new AFC. The ten file\nservers forming the major backbone for the LAN were bought at the time the Region moved to this\nbuilding.\n\nLAN Management\n\nThe majority of EPA\xe2\x80\x99s employees are connected to local and Agency applications and data through\nLANs and the VABS. The Enterprise Technical Services Division\xe2\x80\x99s (ETSD) LANSYS group is\nresponsible for maintenance of the backbone servers, the backbone software, and the backbone\nwiring throughout EPA. However, each individual LAN is managed locally by the program office\nit serves.\n\nETSD requires adherence to EPA\xe2\x80\x99s security standards in order for a LAN to be connected to an\nAgency facility backbone and to obtain ETSD support. However, these are minimum security\nstandards and it is ultimately left up to local management and LAN System Administrators (SAs)\nto design and implement security for their LAN. The degree of security needed at a LAN site will\nvary with the type of data processed and the physical security afforded by the facility. Each LAN\nmust comply with the security standards listed in Section 6 of NDPD Operational Directive No.\n310.09. These standards state the minimum levels of security which must be implemented and\nmaintained. Compliance with these security policies is a prerequisite for connection to the Agency\nbackbone and for support by ETSD. Failure to comply with these policies will result in\ndisconnection of a LAN from the Agency internetwork and removal of ETSD support.\n\nCurrently, there are approximately 300 LANs within EPA, supporting an estimated 14,000\nworkstations. Within a few years, it is projected that all Agency employees will be connected by a\nLAN. Furthermore, it is an ETSD goal to move toward \xe2\x80\x98workgroup computing\xe2\x80\x99 (i.e., everyone uses\nthe same hardware and software in the same way) and eventually to \xe2\x80\x98Enterprise LANs\xe2\x80\x99 where data\ncan be distributed, collected, processed and accessed throughout the Agency.\n\nAs the number of new LAN installations increases, so does the number of programs and quantity of\ndata stored on these LANs. Microcomputers or Personal Computers (PCs) pose numerous security\nissues by themselves. The task of securing these resources is even more difficult when work group\nPCS are connected to form LANs, in order to share resources.\n\nAny one work group LAN may be adequately self-contained and have a LAN System Administrator.\nOnce these separate LANs are connected via a facility-wide backbone, physical access among work\ngroups is granted. Therefore, with the increased number of access points, security becomes a larger\nissue for all users and LAN System Administrators.\n\n\n\n\n                                                2\n\x0cSCOPE AND METHODOLOGY\n\nThe primary focus of this audit was to evaluate the security of the Region IV\xe2\x80\x99s LANs. Field work\nwas conducted from January 1997 through March 1997, at Region IV in Atlanta, Georgia. We\nconducted this audit in accordance with Government Auditing Standards (1994 revision) issued by\nthe Comptroller General of the United States. We reviewed the procedures for granting access to\nthe Region IV LANs and requested and reviewed applicable system documentation. In addition, we\nperformed a security \xe2\x80\x9cwalkthrough\xe2\x80\x9d and discussed security considerations and requirements with\nresponsible IMB representatives. Finally, we evaluated the compliance of LAN settings and\nconfiguration with established Agency information security policies and standards, Federal\nregulations and industry standards using the Enterprise Security Manager (ESM) software. (For\nfurther details on the ESM software, see Appendix II.)\n\n\nCRITERIA\n\nFederal and Agency guidelines, as well as industry publications, were used to form a framework of\nprudent, stable business practices and therefore served as a means to evaluate LAN security.\nProvided below is a summary of the criteria used during this audit. References to other published\nguidelines are specified throughout this report.\n\nComputer Security Act of 1987 (P.L.100-235)\n\nThe Computer Security Act of 1987 creates a means for establishing minimum acceptable security\npractices for such systems, without limiting the scope of security measures already planned or in use.\nThe Computer Security Act requires the establishment of security plans by all operators of Federal\ncomputer systems that contain sensitive information. The Act also requires mandatory periodic\ntraining for all persons involved in management, use, or operation of Federal computer systems that\ncontain sensitive information.\n\nThe Act assigns to the National Institute of Standards and Technology (formerly the National Bureau\nof Standards) responsibility for developing standards and guidelines for Federal computer systems.\nThis responsibility includes developing standards and guidelines needed to assure the cost-effective\nsecurity and privacy of sensitive information in Federal computer systems, drawing on the technical\nadvice and assistance (including work products) of the National Security Agency, where appropriate.\nAlso, this Act provides for the promulgation of such standards and guidelines.\n\nOffice of Management and Budget (OMB) Circular A-130\n\nOMB A-130 mandates that reviews should assure that management, operational, personnel, and\ntechnical controls are functioning effectively. Security controls may be reviewed by an independent\naudit or a self review. The type and rigor of review/audit should be commensurate with the\n\n\n\n                                                  3\n\x0cacceptable level of risk which is established in the rules for the system, as well as the likelihood of\nlearning useful information to improve security. Technical tools such as virus scanners, vulnerability\nassessment products (which look for known security problems, configuration errors, and the\ninstallation of the latest patches), and penetration testing can assist in the on-going review of\ndifferent facets of systems. However, these tools are no substitute for a formal management review\nat least every three years. Indeed, for some high-risk systems with rapidly changing technology,\nthree years will be too long.\n\nDepending upon the risk and magnitude of harm which could result, weaknesses identified during\nthe review of security controls should be reported as deficiencies in accordance with OMB Circular\nNo. A-123, "Management Accountability and Control" and the \xe2\x80\x9cFederal Managers\' Financial\nIntegrity Act\xe2\x80\x9d (FMFIA). In particular, if a basic management control such as assignment of\nresponsibility, a workable security plan, or management authorization are missing, then\nconsideration should be given to identifying a deficiency.\n\nOMB Circular A-127\n\nOMB A-127 incorporates the requirement of the Computer Security Act of 1987, stating that\nagencies plan to secure their systems commensurate with the risk and magnitude of loss or harm\nwhich could result from the loss, misuse, or unauthorized access to information contained in those\nsystems. It includes assuring the integrity, availability, and appropriate confidentiality of\ninformation. It also involves protection against the harm that could occur to individuals or entities\noutside of the Federal Government, as well as the harm to the Federal Government. Appendix III\nto this circular prescribes a minimum set of controls to be included in Federal automated information\nresources security programs and assigns Federal agency responsibilities for the security of automated\ninformation resources. This circular also includes limits on collection and sharing of information\nand procedures to assure the integrity of information, as well as requirements to adequately secure\nthe information.\n\nLocal Area Network Operational Procedures and Standards (LOPS)\n\nThe Local Area Network Operational Procedures and Standards (LOPS) describes the minimum, or\nbaseline, standards required for all EPA LANs. These procedures provide a reference for LAN\nimplementation and operation within the Agency\xe2\x80\x99s standardized framework.\n\nEPA Information Security Manual (ISM)\n\nThis manual provides the necessary direction to implement Federal regulations concerning\ninformation security, and outlines the specific procedures and requirements necessary to ensure\nadequate protection of all EPA information systems. This manual addresses both manual and\nautomated information systems. The security concepts, roles and responsibilities, apply to both\nmanual and automated systems. This manual serves as a baseline for EPA organizations and\npersonnel to measure and determine whether the information they are using is being protected\n\n\n                                                  4\n\x0cadequately, and that EPA organizations are in compliance with all requirements of the Agency\xe2\x80\x99s\nInformation Security Policy.\n\nThe ISM applies to all EPA organizations and their employees. It also applies to the facilities and\npersonnel of agents (including contractors) of the EPA who are involved in designing, developing,\noperating, maintaining, or accessing Agency information and information systems.\n\n\n\n\n                                                5\n\x0c                                            CHAPTER 2\n\n             REGION IV NEEDS A LAN DISASTER RECOVERY PLAN\n\n\nDisaster Recovery Plans\n\nIMB has not developed a disaster recovery plan for their Region IV LANs. There are variety of\nprogram offices which use the Region IV LANs. In the event of a disaster, critical information\nwould be lost and IMB would have a difficult time restoring the LANs to pre-disaster condition.\nIMB management was unaware of Agency requirements for a formal disaster recovery plan. A\ndisaster scenario is any likely event that has a chance of occurring and if it occurs has the potential\nfor significantly interrupting normal business processing. These events include fires, severe\nthunderstorms, floods, tornados, and hurricanes.\n\nOperations continuity deals with the notion that a business should be able to survive and continue\noperations even if a disastrous event occurs. Rigorous planning and commitment of resources are\nnecessary to adequately plan for such an event. Contingency planning is the primary responsibility\nof senior management as they are entrusted with the safeguarding of both the program information\nand viability of the program office to perform its duties.\n\nAll of Region IV\xe2\x80\x99s file servers are situated in one room within the IMB, which is located in the\nMartin Luther King Building in Atlanta, Georgia. A disaster need only to occur to that particular\nroom to be considered a disaster for Region IV. In the event that Region IV should experience a\ndisaster, such as fire or another form of natural disaster, IMB would be unable to institute a timely\ndisaster recovery process. IMB would have to create information on how to get systems restored\nafter the disaster, thereby increasing restoration time.\n\nDuring a disaster an adequate disaster recovery plan is of upmost importance. It lends organized\nplans to what can sometimes be a chaotic situation. An adequate disaster recovery plan should\ninclude but is not limited to the following:\n\n       C       Notification\n               Procedures for notifying relevant managers in the event of a disaster. Typically, this\n               includes a contact list of home and emergency telephone numbers.\n\n       C       Disaster Declaration\n               Procedures pertaining to the assessment of damage following a disaster, criteria for\n               determining whether the situation constitutes disaster, and procedures for declaring\n               a disaster and invoking the plan.\n\n\n\n\n                                                  6\n\x0c       C       Systems Recovery\n               Procedures to be followed to restore critical and vital systems at emergency service\n               levels within a specified time frame, in accordance with the systems recovery strategy\n               defined in the plan.\n\n       C       User Recovery\n               Procedures for recovering critical and vital user functions within a specified time\n               frame in accordance with the planned strategy. This includes documenting\n               instructions for processing data manually, even though the data may previously have\n               been processed via an automated system. Even if the manual procedure was the\n               standard at one time, continued knowledge of such procedures should not be\n               assumed. This is especially true as tenured employees who may have once performed\n               manual procedures may transfer or retire, and manual documentation and forms can\n               be destroyed or misplaced.\n\nSecurely Store Backup Files Off-Site\n\nTaped file backups are not securely stored off-site. Although IMB personnel backup data files\nmanually on a periodic basis, the backups are kept in the homes of the backup administrators.\nThe NDPD Operational Directives Manual No. 310.05, entitled LAN Data Management, requires\nthat LAN administrators perform backups and store the backups securely off-site. The off-site\nlocation needs to be as safely secured and controlled as the originating site. This includes adequate\nphysical access controls such as locked doors, no windows, and human surveillance. This\nrequirement is especially critical for sensitive Agency data. IMB\xe2\x80\x99s backup administrators were\nunaware of the Agency backup data storage requirements.\n\nIn addition, Region IV does not have formal policies and procedures to perform backup and off-site\nstorage of Agency data. Currently, experienced LAN administrators perform regularly scheduled\nbackups. However, formal policies and procedures should be established to ensure that any\nappointed personnel could perform the necessary procedures to backup data.\n\n\nRECOMMENDATIONS\n\nWe recommend that the Chief, Region IV IMB:\n\n2-1.   Develop a disaster recovery plan for the Region IV LANs.\n\n2-2.   Ensure that Agency data backups are securely stored off-site.\n\n2-3.   Establish formal policies and procedures to ensure that any appointed personnel could\n       perform the necessary procedures to backup data.\n\n\n\n                                                 7\n\x0cAGENCY COMMENTS AND OIG EVALUATION\n\nIn a memorandum dated September 10, 1997, Region IV\'s Chief for Information Management\nresponded to our draft report (See Appendix 1). In summary, Region IV officials agreed with all\nthree recommendations and stated they would:\n\n       1. Develop a disaster recovery plan by March 1, 1998.\n\n       2. Store backup media with an off-site storage company no later than November 28, 1997.\n\n       3. Establish formal policies and procedures to ensure that any appointed personnel could\n          perform the necessary procedures to backup data. These polices and procedures should\n          be complete by December 26, 1997.\n\nWe concur with Region IV\'s response to our recommendations and will evaluate these corrective\nactions during our follow-up review.\n\n\n\n\n                                              8\n\x0c                                          CHAPTER 3\n\n                 FORMAL LAN ACCESS TERMINATION CONTROL\n                         PROCEDURES ARE NEEDED\n\n\nIMB does not have a structured and consistent process for rescinding access to Region IV LANs.\nThere are no formal procedures to be followed in the event that an employee is terminated.\nCurrently, the LAN administrator is not notified when an employee is terminated or transferred.\nManagement was unaware of the need to formalize the process for terminating LAN user accounts.\nIf the employee has a mainframe account, personnel notifies the computer specialist responsible for\nmainframe access, as well as the computer specialist responsible for access to the E-mail system.\nOne or both of these computer specialists informs the LAN administrator to remove the employee\xe2\x80\x99s\naccount from the particular LAN.\n\nThis method of notifying the LAN administrator regarding unnecessary accounts is haphazard and\nshould be formalized. The accounts of terminated employees may remain active and may pose a\npotential security weakness. In addition, these accounts should be removed in a timely manner.\n\nHuman Resources provides an \xe2\x80\x9cEmployee Separation or Transfer Checklist\xe2\x80\x9d (EPA Form 3110-1)\nfor employees to follow when separating from the Agency or transferring internally. In addition to\ndocumenting the return of Agency property, this list includes removing mainframe accounts.\nHowever, the checklist does not cover LAN accounts. This checklist was never updated to include\nremoving LAN accounts.\n\n\nRECOMMENDATION\n\nWe recommend that the Chief, Region IV\'s IMB formalize LAN termination and transfer procedures\nby:\n\n3-1.   Requesting that the Office of Human Resource Management modify the \xe2\x80\x9cEmployee\n       Separation or Transfer Checklist\xe2\x80\x9d to include removal of LAN accounts.\n\n\nAGENCY COMMENTS AND OIG EVALUATION\n\nRegion IV did not address this issue in the response to the draft report. However, on September 16,\n1997, Region IV\'s Chief for Information Management informed us that regional staff are working\nwith Region IV Human Resources to correct the termination form by December 31, 1997.\n\n\n\n\n                                                9\n\x0cWe concur with Region IV\'s corrective action and will evaluate its effectiveness during our follow-\nup review.\n\n\n\n\n                                                10\n\x0c                                           CHAPTER 4\n\n                     REGION IV NEEDS A LAN SECURITY PLAN\n\n\nRegion IV does not have a LAN security plan as required by OMB A-130. In addition, IMB did not\nreport incomplete security documentation as a control weakness in their fiscal 1996 Federal\nManager\xe2\x80\x99s Financial Integrity Act (FMFIA) Assurance Letter. IMB was unaware of the OMB\nCircular A-130 requirement. Management security policies document the standards of compliance.\nSecurity policies should state the position of the organization with regard to all security risks, and\nshould also identify who is responsible for safeguarding organization assets, including programs and\ndata. Without an adequate LAN security plan employees are unable to provide adequate protection\nagainst violators.\n\nOMB Circular A-130 requires that management approve security plans at least every three years\nthrough the OMB Circular A-123 process. In addition, it specifies that security control weaknesses\nbe reported as part of the Agency\xe2\x80\x99s OMB Circular A-123 annual review process. The Information\nResources Management Security Program is relying on the managers of the individual sites and\nprogram offices to implement these IRM security requirements or to report information security\nweaknesses as part of the OMB Circular A-123 process.\n\nOMB Circular A-130 is entitled \xe2\x80\x9cManagement of Federal Information Resources.\xe2\x80\x9d Appendix III of\nthis Circular is entitled \xe2\x80\x9cSecurity of Federal Automated Information Systems.\xe2\x80\x9d This appendix details\nthe required policy and guidance agencies must provide to ensure that automated systems have\nadequate security programs and documentation. It establishes a minimum set of controls to be\nincluded in Federal automated information security programs; assigns Federal agency responsibilities\nfor the security of automated information; and links agency automated information security programs\nand agency management control systems established in accordance with OMB Circular A-123. The\nAppendix revises procedures formerly contained in Appendix III to OMB Circular A-130 (50 FR\n52730; December 24, 1985), and incorporates requirements of the Computer Security Act of 1987\n(P.L.100-235) and responsibilities assigned in applicable national security directives.\n\nOMB Circular A-130 also requires the development of a security plan and provides guidance\nregarding the content of an adequate security plan. Key components of such a security plan include\nthe following:\n\n       -       Management support and commitment;\n       -       Access philosophy;\n       -       Access authorization;\n       -       Reviews of access authorization;\n       -       Security awareness;\n\n\n\n                                                 11\n\x0c       -       A defined role for the security administrator;\n       -       Security committee; and\n       -       Hardware and software inventory control\n\n\nRECOMMENDATION\n\nWe recommend that the Chief, Region IV\'s IMB:\n\n4-1.   Develop a security plan in accordance with OMB Circular A-130. In addition, management\n       should report this deficiency as a \xe2\x80\x9cmaterial weakness\xe2\x80\x9d in subsequent FMFIA Assurance\n       Letters until the plan is completed.\n\n\nAGENCY COMMENTS AND OIG EVALUATION\n\nIn a memorandum dated September 10, 1997, Region IV\'s Chief for Information Management\nresponded to our draft report (See Appendix 1). In summary, Region IV officials concurred with our\nrecommendation and agreed to develop a security plan in accordance with OMB Circular a-130 by\nNovember 28, 1997.\n\nWe concur with Region IV\'s response to our recommendations and will evaluate the security plan\nduring our follow-up review.\n\n\n\n\n                                                12\n\x0c                                          CHAPTER 5\n\n                              FORMALIZE LAN POLICY\n                           AND MAINTENANCE PROCEDURES\n\n\nRegion IV lacks policies and procedures for overall LAN maintenance. IMB attributed the non-\nexistence of policies and procedures to conflicting priorities and scarce resources. Currently, IMB\nhas only two LAN Administrators to manage 28 servers. A lack of policies and procedures could\nlead to inconsistent application of settings and loss of accountability.\n\nNo Desk Procedures for LAN Administrators\n\nThere are no \xe2\x80\x9cdesk\xe2\x80\x9d procedures for backup or new LAN administrative personnel to follow in the\nevent that the primary LAN administrators are unable to perform their duties. IMB attributed the\nnon-existence of procedures to conflicting priorities. These standard operating procedures should\ninclude granting and terminating access to Region IV, making backup tapes, contingency plans,\ntroubleshooting the LANs, and general computer security administration matters. If the primary\nLAN administrators are not available, other LAN administrative staff may have to assume their\nduties. Without written procedures to guide the replacements, the Region IV LANs could be left\nvulnerable, especially in the event of a disaster.\n\nNo Maintenance Plan for Region IV LANs\n\nThere is no maintenance plan for the Region IV LANs. Consequently, there is no regularly\nscheduled LAN maintenance. IMB attributed the non-existence of policies and procedures to\nconflicting priorities and scarce resources. For example, according to the LAN administrators,\naccount maintenance is performed as other duties permit. Regular maintenance is essential to\nmaintain the integrity and continuity of the Region IV LANs.\n\n\nRECOMMENDATIONS\n\nWe recommend that the Chief, Region IV\'s IMB:\n\n5-1.   Establish a maintenance plan for the Region IV LANs. This plan should include, but is not\n       limited to, software installation, hardware upgrades, and capacity management. Regular\n       maintenance is essential to maintain the integrity and continuity of the Region IV LANs.\n\n5-2.   Establish and maintain standard operating procedures for backup or new LAN administrative\n       personnel to follow in the event that the primary LAN administrators are unable to perform\n       their duties.\n\n\n\n                                                13\n\x0cAGENCY COMMENTS AND OIG EVALUATION\n\nIn a memorandum dated September 10, 1997, Region IV\'s Chief for Information Management\nresponded to our draft report (See Appendix 1). In summary, Region IV officials agreed with our\ntwo recommendations. Specifically, management agreed to complete a new policy and\nmaintenance procedures plan by December 26, 1997.\n\nWe concur with Region IV\'s response to our recommendations and will evaluate these corrective\nactions during our follow-up review.\n\n\n\n\n                                              14\n\x0cTHIS PAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                15\n\x0c                                           CHAPTER 6\n\n                 LAN SETTINGS ARE NOT IN ACCORDANCE WITH\n                 AGENCY STANDARDS AND INDUSTRY GUIDANCE\n\n\nSome of the Region IV LAN account settings are not in compliance with the Agency\xe2\x80\x99s LOPS manual\nand best industry practices. We determined, through the use of Enterprise Security Manager (ESM)\nsoftware and discussions with responsible program officials, that IMB does not follow all of the\nguidelines set forth in the Agency\xe2\x80\x99s LOPS manual. This could leave the Region IV LANs vulnerable\nto security breaches from hacker attacks within and outside the Agency. Discussions with IMB\nmanagement determined that they were unaware of required Agency LAN settings.\n\nESM is a client/server product which reports on the status of the existing client operating system,\nin terms of security compliance to a set of standards. ESM designed the client to be installed on all\nsupported multi-user operating systems to improve network security. Host (Agency) security\nstandards are used as the benchmark for evaluating security. The ESM software consists of a\nmanager and an agent component designed to collect and report security relevant data (e.g., password\nlength required by the system, potential security vulnerabilities, etc.) for an entire enterprise from\na central location. We provide further details regarding the ESM product in Appendix II.\n\nDue to the nature of the vulnerabilities noted, we decided to present them in a table format. On the\nfollowing pages, we used two tables to summarize the vulnerabilities and potential effects on the\nRegion IV LANs, as determined by ESM:\n\n\n                       Tables have been redacted due to sensitive nature\n\n\nRECOMMENDATION\n\nWe recommend that the Chief, Region IV\'s IMB:\n\n6-1.   Based on the conditions identified, bring the Novell NetWare settings on the Region IV\n       LANs in accordance with Agency and industry guidance.\n\n\nAGENCY COMMENTS AND OIG EVALUATION\n\nIn a memorandum dated September 10, 1997, Region IV\'s Chief for Information Management\nresponded to our draft report (See Appendix 1). In summary, Region IV officials agreed with our\nrecommendation. Region IV management stated that they will begin correcting these settings\n\n\n\n                                                 16\n\x0cimmediately, and will continue to run the ESM program on a quarterly schedule to prevent this from\never being a problem again. They also plan to include this procedure in their standard operations\nprocedures and policy guidelines\n\nWe concur with Region IV\'s response to our recommendations and will evaluate the corrective\nactions during our follow-up review.\n\n\n\n\n                                               17\n\x0c                                             APPENDIX I\n\n\n\n\nTHIS SECTION RESERVED FOR AGENCY RESPONSES\n          TO FORMAL DRAFT REPORT\n\n\n\n\n                    18\n\x0cTHIS PAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                19\n\x0c                                                                                        APPENDIX II\n\n\n                        ENTERPRISE SECURITY MANAGER (ESM)\n\n\nEnterprise Security Manager (ESM) is a client/server product which reports on the status of the\nexisting client operating system in terms of security compliance to a set of standards. Axent\nTechnologies designed the client to be installed on all supported multi-user operating systems to\nimprove network security. Host (Agency) security standards are used as the benchmark for\nevaluating security.\n\nThe ESM software consists of a manager and an agent component designed to collect and report\nsecurity relevant data (e.g., password length required by the system, potential security vulnerabilities,\netc.) for an entire enterprise from a central location. The manager provides control over global\nfunctions (e.g., report scheduling, report generation, etc.) that are independent of ADP architecture\nand operating system (e.g., SUN/Solaris). The agent portion is specific to the particular operating\nsystem architecture and provides the basic function of data collection for reporting to the manager.\nThe data collected and reported is stored on the manager system, alleviating storage constraints on\nthe agent system. Agents exist as \xe2\x80\x9cprocesses \xe2\x80\x9c on VMS systems, as \xe2\x80\x9cdaemons \xe2\x80\x9c (owned by root)\nexecuting on UNIX systems, and as \xe2\x80\x9cNLM\'s \xe2\x80\x9c on Novell servers. An NLM enhances or provides\nadditional server functions in a server running Netware Version 3. A graphical user interface (GUI)\nis provided by ESM through which manager/agent functions can be controlled.\n\nA manager can be installed on any system type currently supported by ESM (e.g., UNIX,\nNETWARE, VMS, etc.) and can service multiple agent systems (e.g., a NETWARE server with a\nmanager can service agents on UNIX, Netware, and VMS systems). Alternately, separate managers\ncan be used for each architecture (e.g., NETWARE servicing NETWARE, UNIX servicing UNIX,\netc.), although this approach is more expensive than one manager servicing multiple architectures.\n\n\nThe ESM architecture provides for security of manager/agent communication through a password.\nThe password is supplied when the agent is installed and when the manager is invoked for\ncommunication with the agent. Since the agents are owned by the operating system (e.g., executes\nas a daemon owned by root on UNIX systems), privileged access to the system on which the agent\nis installed is not required by the user invoking the manager component. Privileged system operation\nby the user invoking the ESM manager is disallowed and prevented. This properly segregates the role\nof system administrator from that of the person conducting a review of system security through use\nof the ESM software.\n\nFurther segregation of administrator/security reviewer roles can be achieved when using ESM. For\nexample, agents can be registered to (controlled by) more than one manager component. Each\nmanager component can be invoked by different personnel to achieve personnel backups, or to\n\n\n                                                   20\n\x0c                                                                                   APPENDIX II\n\n\nprovide use of the product by both a security reviewer and a system administrator. In addition, a\nmanager can be designated as a super manager. Therefore, installing a manager component in each\nEPA region would allow each region its own detailed use of ESM. The designation of an ETSD\nsuper manager would allow ETSD\xe2\x80\x99s Security Staff to receive only summary data from each regional\nmanager for the purposes of statistical or other reporting. The specific installed configuration is\ndetermined by the site installing the product, and will be driven by availability of resources and\nexpertise, funding, political concerns, etc.\n\n\n\n\n                                                21\n\x0c                                                        APPENDIX IV\n\n\n                GLOSSARY\n\n\nAFC     -   Atlanta Federal Center\n\nDOS     -   Disk Operation System\n\nESM     -   Enterprise System Manager\n\nETSD    -   Enterprise Technology Services Division (formerly NDPD)\n\nFMFIA   -   Federal Managers\xe2\x80\x99 Financial Integrity Act\n\nGUI     -   Graphical User Interface\n\nIMB     -   Information Management Branch (Region IV)\n\nLAN     -   Local Area Network\n\nLOPS    -   LAN Operational Procedures and Standards\n\nNDPD    -   National Data Processing Division (See ETSD)\n\nNLMs    -   Network Loading Modules\n\nOIRM    -   Office of Information Resource Management\n\nOMB     -   Office of Management and Budget\n\nRTP     -   Research Triangle Park\n\nSA      -   Systems Administrator\n\nVABS    -   Value Added Backbone Services\n\n\n\n\n                     22\n\x0c                                                                          APPENDIX IV\n\n\n                                REPORT DISTRIBUTION\n\n\nOffice of Inspector General\n\n Acting Inspector General (2410)\n\n Assistant Inspector General for Audit (2421)\n\n Principal Deputy Assistant Inspector General for Audit (2421)\n\n Deputy Assistant Inspector General for Internal Audits (2421)\n\nEPA Headquarters\n\n Agency Audit Followup Official (3101)\n  Attn: Assistant Administrator for Administration and Resources Management\n\n Agency Audit Followup Coordinator (2710)\n  Attn: Audit Management Team\n\n EPA HQs Library\n\nRegion IV\n\n Chief, Information Management Branch\n  Attn: Office of Policy and Management\n\n Chief, Grants, IAG and Audit Management Section\n\nAthens, Georgia\n\n Director, Science and Ecosystems Support Division\n\n\n\n\n                                                23\n\x0c'